Displaying a directory in the browser 1

[abiale]

I`d like to ask you for help.

My question is: how to disable users from displaying the contents of a directory from a browser if they put

http://my

adress/anydirectory1/ ?

I`d like to redirect them to the login page or to display a error message ("Acces forbidden&quot

I`d would be grateful for any help.

Thanks,

Arthur

 

[RhythmAce]

All directories should have an index.html in them to prevent this. This index page could be blank or contain a message saying they have no cotton pickin' business being there and a link back to where they should be.

 

[Chacalinc]

You can do it. You must to edit httpd.conf and delete the word &quot;Indexes&quot; on &quot;<Directory /path/to_your/pages>&quot; line &quot;Options&quot;. so it must NOT looks like:

<Directory /path/to_your/pages>
Options Indexes
AllowOverride none
Order Allow, Deny
Allow from All
</Directory>

Take a look on:

http://httpd.apache.org/docs/mod/core.html#options

Cheers.

 

[abiale]

Thanks a lot for your help!

Artur

 

[BitFuzzy]

Alternatly,

If you chmod the directory to '0711'
any attempt to view '

http://www.somesite.com/images/'

will result in

Forbidden
You don't have permission to access /images/ on this server.

just my 2 cents

 

[JVKAdmin]

Hi,

I am trying to to get my webserver to display an smb mount file list from a windows server in apache and was wondering a few things about security. Is there a way to set up apache to display a directory listing but confine them to that directory and below and not have them be able to navigate up the tree ? Where is the best place on the file system to secure the mount point ?

So far all I have done is add an alias entry to my httpd.conf file to get the directory listing to appear.

Does anyone have any thoughts about this ?

Thanks

Kevin

 

[danomac]

Well,

If you change httpd.conf as Chacalinc said earlier:

<Directory /path/to_your/pages>
Options -Indexes 
AllowOverride Indexes
Order Allow, Deny
Allow from All
</Directory>

Make sure the Indexes has a '-' before it!

Then in the directory that you want people to have a directory listing for, create a .htaccess file with:

Options Indexes

This will allow you to have a single folder to have a directory listing. IIRC the parent directory is still listed as an option; if you click it though you will get an access forbidden error as the parent doesn't have Indexes enabled.

D

 

[JVKAdmin]

Danomac,

Thanks for the info. I tried what you said and got an error. The error log says &quot; Options not allowed here &quot;.

Any ideas ?

Thanks

 

[danomac]

Make sure AllowOverride isn't disabled elsewhere in httpd.conf.

I had that problem too.

D

 

[danomac]

Or to clarify, look for 'AllowOverride None' in your httpd.conf. It's set to None by default.

D

 

[JVKAdmin]

Danomac,

Actually what I did was this to make things work:

first removing Indexes from this line in the config file (Default for httpd.conf)

Options Indexes FollowSymLinks

to

Options FollowSymLinks

then I had to modify my directory directives as follows:

Alias /pricepages/ &quot;/var/

http://www/html/pricepages/&quot;

<Directory &quot;/var/

http://www/html/pricepages&quot;>

Options MultiViews
AllowOverride Options
Order allow,deny
Allow from all
</Directory>

After that the .htaccess file entry you mentioned worked.

Now two things, first off what is the purpose of using the - ? Does it simply reverse a pre-defined (or system default) entry in the script?

Secondly, is there a simply way to secure a directory within that document root with html files to prompt a user for a username and password ? (I have one directory where I want everyone to have access to and one that I want protected in that document root.) I've read a little bit about it but would appreciate some clarity.

Kevin

 

[danomac]

JVKAdmin,

Using the '-' disables indicated option. Hence, -Indexes disables Indexes.

To use that in an example, say that you wanted directory browsing in ALL folders except one. You would change your AllowOverride to Indexes, and set the .htaccess file in the single folder you want to protect to -Indexes.

You can do an authentication through Apache to a specific folder. Remember though that the username and password are sent in cleartext. If it's mission critical you may consider running a secure web site so the user/pass info is encrypted.

I don't know the exact steps to setup a authenticated folder off the top of my head, I'll post more info on that later.

D

 

[danomac]

This is a well-outlined page for setting up an authenticated folder:

http://httpd.apache.org/docs-2.0/howto/auth.html

D

 

[JVKAdmin]

Danomac,

Thanks for the link. I believe we are using Apache 1.3 however.

Kevin

 

[lexiskm]

As an experiment, I wanted to disable directory viewing. To do so, I deleted "Indexes" from the "Options" line and all was well.

To go back to the original config, whereby I would get a directory listing, I restored the following code:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory "C:/locserv">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Instead of the directory listing, however, I am now getting a "Forbidden" error page from Apache 1.3.31. (On MS XP Pro SvcPk 2).

Is there some kind of locking that takes place that I need to undo? I was under the impression that the initial:

<Directory />
...
</Directory>

Took care of all that.

Thanks in advance for your help.

 

[lexiskm]

Never mind.

Lesson learned... when one gets an error message, one should check the error log. Once I did, the error was obvioius and had nothing to do with the directories setup.

Sorry about that but perhaps someone will learn from my stupidity.

Lexis